• 82/10/2085 09:28 9725837864 
WAP W3C Mobile Privacy Workshop 


W3C 


ERICSSON IPR LEGAL 


lechncldoy and Society 

i ■ cfoirialn 


<£> 


PAGE 13/43 

Page 1 of 1 


Joint Workshop on Mobile Web Privacy 

WAP Forum & World Wide Web Consortium 

7-8 December 2000 
Munich, Germany 

Agenda 

Minutes from workshop: Day 1. Day 2 
Work shop Re port and Summ ary 
Position Pape rs 

Backgrou nd Materials 
CaJl.for Particip ation 

Important dates 

Registration deadline: 2 December 2000. 
Papers submission deadline: 6 November 2000. 

Workshop meter 

On 1 December 2000: 45 registrations, 20 position papers expected, and 45 persons on the mailing list. 


Pages created and maintained by Daniel. J. Weitzner <c^ejtzner@w3,org> Mobile Web Privacy Workshop Co-Chair. 
$Id; overview.htmLv 1,5 20 


httn : //www. w7 nro/P^PMinhil 

PAGE 18/43 1 RCVD AT 2/10/2005 10:22:58 AM [Eastern Standard Time] * SVR:USPT0-EFXRF-1/5 * DN!S:8729306 » CSID:9725837864 1 DURATION (mm-ss):1(M4 2/2/2005 


. 82/10/2005 09:20 


9725837864 


ERICSSON IPR LEGAL 


Index of /PSP/mobile-privacy-ws/papers 

Index of /P3P/mobile-privacy-ws/papers 

Name Last modif ied Size D^JLnptfon 

4% P arent Directory 06- Apr-2004 22:31 - 
O JPhooeEast.html 05-Dec-2000 15:27 2k 

arthurandersen.html Q5-Dec-2000 15:54 52k Wie sicher ist mobile > 
(5) ay.enuea.htrn] 05»Dec-2000 05: 18 1 3k 
@t) dqlev : htroJ 05-Dec-2000 14:54 10k CellularPersonallD 

[ID gimderin.ann,httri] 04-Dec-2000 16:42 10k Workshop on Mobile Web> 
[§ ibm.html 23-Nov-2000 02:05 J2k Mobile Web Privacy 

©LSE^trnl 05-Dec-2000 15:13 9k iPSE_MunichWorkshop 

(U) karlstad.html 23-Nov-2000 01 :41 1 lk Privacy Enhancement in> 

23-Nov-2000 01:53 3k Joint Workshop on Mobi> 
23-Nov-2000 01:37 23k Privacy 
23-Nov~2000 01 :50 4k Privacy for Location D> 
23-Nov^2000 01 :46 3k TL Weber, Siemens Cor£> 
23-Nov-2000 02:09 13k Xypotat Position Paper 
23-Nov-2000 0 1 :33 4k The Difference Between> 


Hi mptpjrQla,hmjJ 
(5) nextel.htmi 
HO nokia-html 
f^l siemens.html 
[jfl xypoint.html 
raj zks.html 


PAGE 19/43 

£g) Page 1 of 1 


http://www.w3.orc/P3P/mobile -rmvarv-WR/nanprci/ 

PAGE 19/43 • RCVD AT 2/10/2005 10:22:58 AM [Eastern Standard Time] * SVR:USPT0-EFXRF-1/5 * DNIS:8729306 * CS1D:972S837864 * DURATION (mm-ss): 1 0-14 


. 02/10/2005 09:20 9725837864 ERICSSON IPR LEGAL PAGE 20/43 

Privacy Enhancement in the Mobile Internet Page 1 of 3 

Position paper: Privacy Enhancement in the Mobile 

Internet 

Simone Fischer-Hubner, Helena Lindskog 
Karlstad University 
Computer Science Department 

Sweden 
http://www.es. kaaseMimonef 
ht^://wwwx$.kau.se/~helena/ 

Introduction: 

Our Computer Security Research Group within the Computer Science Department at Karlstad University has recently 
started to work on the project "Enhancing Privacy for Web-based Services in wireline and wireless Networks' 1 . Within 
the project, we assess privacy threats and problems for the Mobile Web and work on privacy-enhancing technologies 
for protecting personal information. One major research issue is how the Composite Capability/Preference Profile 
(CC/PP) information can be protected by using CC/PP with P3P (Platform for Privacy Preferences) and how P3P can 
be enhanced. 


Expectations on the final outputs of the workshop: 

We expect that privacy problems and risks in the Mobile Web environment will be made clear. Besides, specific legal 
provisions to protect privacy in the mobile web needed in addition to existing general data protection legislation should 
be suggested. Privacy is increasingly becoming an international problem, because communication data often crosses 
state borders. An international harmonization of privacy legislation is necessary, but hardly achievable due to cultural 
differences (see also [Fischer-Hflbner 2000]. The recent transatlantic debate about dre adequacy of the Safe Harbor 
privacy principles in comparison with the EU data protection Directive has demonstrated the difficulty of harmonizing 
data protection regulations. For this reason and also because law is not an ultimate protection, it i$ important to protect 
and enforce privacy also by technology. Our main expectation on the final outputs of the workshop is therefore that 
privacy enhancing technologies for protecting the mobile web users should be discussed and suggested. 

General perspective on privacy challenges raised by mobile Web services: 

In the networked society, the individual's privacy is at risk. A side-effect of global wireline or wireless communication 
is that transactional data of the users can be collected at different sites (e.g., service provider site, server site, sites 
passing on messages) and can be used to create communication or consumer profiles, 

WAP gateways receive, translate and forward all requests telling who requests what using what device and thus can 
easily create extensive personal user profiles. 

Personal user data can also be accumulated at the origin server's site. Web or WAP server sites often ask for user- and 
user-side specific data to offer customirsed services or for market analysis purposes. Input parameters to a mobile 
context aware service can be the user identity, user location, device type and capabilities, user settings in the device, the 
user's previous behavior as well as PIM (personal information management) data. 

The user identity can often be retrieved by the origin server behind the use^s back, by using MSISDN number 
forwarding or user-id forwarding from the WAP gateway or an access server. Whether or not the user's actual identity 
can be retrieved depends on the type of subscription that the user has for the specific service. In most countries 
MSISDN forwarding to outside the operator's environment is forbidden by law, but it is sometimes possible to extend 
the operator's environment to include content providers. If user-id forwarding from other components in the network is 
not used, HTTP basic authentication (HTTP 401 ) or a simple web page logon procedure can be used to reveal the 
httD;//www.w!Vnrp/P^P/mnhilR-n™r»^^ u+~\ or>r>rtric 
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user's identity. 

Standard HTTP behavior is to have the browser name passed on with the request. However, in the mobile Internet 
world, passing on this information does not only tell the receiving application what application the user is running, as in 
the web case. From the browser name, the device type and version can usually be redrawn as well. 

The Composite Capability/Preference Profiles (CC/PP) are proposed by W3C as a collection of capabilities and 
preferences associated with users and the user agents to access the World Wide Web. Particularly in wireless networks 
CC/PP is intended to provide information necessary to adapt the content and the content delivery mechanisms to best 
fit the capabilities and preferences of the users and their agents. However, the capabilities and preference information 
(CPI) contains detailed characteristics about the user's device, software, network and personal settings, which can be 
unique for a specific user with a specific device. Thus, the CPI can serve as a unique identifier and can, like a user-id, 
be used to trace a user's request activities at the origin server's site. CPI in combination with the user-id can tell what 
device, software or network a user is using. Such information can be misused for launching attacks against the user, if it 
gets into the wrong hands. 

The User Agent Profile (UAProf) specification, which seeks interoperability with the CC/PP standard, also defines the 
user location as a reserved attribute. The user's location can be retrieved in two ways. Either by using GPS or similar 
integrated with the device, and then send the information with the request, or by having the application retrieve the 
user's position through the knowledge that the operator has based on radio ba$e station information. Sending the 
position with the request can be done in several ways; by using the UAProf attribute, or a proprietary HTTP header. 

Thus at the server site, different personal characteristics of users can be available, which could be used to trace their 
requests, habits, preferences and movements and to create user profiles. For context-aware services, extensive storage 
of user data is necessary. On the other hand, the user's privacy rights and interests have to be protected as welL 

Our potential contributions: 

1 . Suggestion how CC/PP can be used with P3P: 

The CC/PP working group has already expressed the design goal that P3P is to be used as a management 
mechanism for the privacy of profiles. P3P by W3C is a protocol designed to inform Web users of the data- 
collection and data-use practices (P3P policy) of web-sites and to help users to reach a semi-automated 
agreement with web-sites with regard to the processing of an individual's personal data. 
P3P can be used to enhance the user's privacy by transmitting CPI (and possibly other other personal 
characteristics) only if there is an informed consent by the user about the origin server's site data collection and 
use practices (how and for what purpose CPI will be used, with whom data will be shared, how long the data will 
be retained). 

However, CC/PP cannot directly be combined with the P3P standard. With the CC/PP exchange protocol, a user 
uses a modified HTTP GET request which already carries the profile or profile difference, whereas according to 
the P3P standard it is first checked whether there is a sufficient match between a user's privacy preferences and 
the remote server's privacy policy before any personal data is transmitted. 

Thus, in order to use CC/PP with the P3P standard, the CC/PP exchange protocol should first use a GET request 
that carries a profile with only minimal information about device properties (such as screen size, voice/ graphic 
capabilities), to which a service would respond with a reference to a P3P policy. The user agent would then fetch 
the policy and compare it with the user's preferences to determine whether CPI should be transmitted. The user 
should have the possibility to choose the level of protection by defining privacy preferences for the whole CPI, or 
different preferences for CPI components and/or attributes. 

2. How can P3P be combined with other security mechanisms to support basic requirements of the EU data 
protection Directive: 

Whereas P3P can implement informed consent, P3P al one does not support other basic provisions of the EU data 
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protection directive, such as puipose restriction (Art. 6b: legitimacy), necessity of data collection and processing 
(Art. 6c: adequacy) and the right of access (Art.12). Thus P3P alone is not a sufficient solution. 

Within a former research project, a fomial privacy model has been developed and implemented according the 
Generalized Framework of Access Control- Approach in the Linux system kernel [Fischer-Hubner/ Ott 1998]. 
The privacy model was designed as a security model that can technically enforce legal privacy lequirements such 
as purpose restriction and necessity of data processing. It is planned to adapt the privacy model implementation, 
$0 that it can be used in combination with third party monitoring and assurance to protect P3P data elements at 
the server's site, so that personal data elements are collected and processed only as far as necessary and only used 
for the specified purposes. 

3. Encourage the discussions of privacy-enhanced system concepts to protect user identities at the WAP gateway 
site: 

The use of privacy-enhancing technologies such as for instance Mix nets for providing anonymity at the WAP 
gateway site should be examined, A Mix net introduced by D. Chaum [Chaum 1 981] can realize tmJinkability of 
sender and recipient and sender anonymity against the recipient If a request would be send through a mix net to 
the gateway, the user identity could be hidden from the gateway. 

References: 

[Chaum 1981] David Chaum, "Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms' 1 , 
Communications of the ACM, 24 (2). 1981, pp. 84-88, http://world.stdxom/-fi^crypto/chaum-acm--198l.html 

[Fischer-Hilbner/Ott 1998] Simone Fischer-Hubner, Amon Ott, "From a Formal Privacy Model to its Implementation", 
Proceedings of the 21st National Information Systems Security Conference, Arlington, VA, October 5-8, 1998 

[Fischer-Hubner 2000] Simone Fischer-HObner, "Privacy and Security at Risk in the Global Information Society", in: 
D.Thomas, B.Loader (Eds): Cybercrime, Routledge, London and New York, 2000 
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Definition of Privacy ; 

Alan Westin (Columbia University. 1967): 

" the claim of individuals, groups and institutions to determine for themselves, when, 
how and to what extent information about them is communicated to others' 1 

Basic privacy principles: 

• authorisation by law or consent 

• necessity of data collection and processing 

• purpose specification and purpose binding 
(there are no "non-sensitive" data) 

• right of access / notification / objection 

• supervision and sanctions 

• adequate organisational and technical safeguards 

Simone Fischer-HObner Privacy Enhancement in the Mobile Internet 
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WAP Device 


Mobile Web Privacy Issues: 


WAP Gateway/Proxy 



$8$ 
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Anonymization enabled, but: 
complete profile of user activities 


Origin Server 



user ID (if user logged on 

or if forwarded) 
CC/PP - CPi (device, software, 

network, pers. settings) 
- user location (UAProf reserved 
attribute) 


Privacy is an international problem 
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Karlstad University 
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Problem of International Harmonisation of Privacy Legislation: 


Is a common harmonised approach to privacy possible 
due to cultural/ historical/ political differences ? 


Example: 

Europe: vs. USA: 

- EU Data Protection Directive no omnibus privacy legislation, 

- EU Telecommunication Data Protection self-regulation in the private sector, 
Directive no oversight authority 


Safe Harbour Principles as a solution ? 
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Protection at Server site: Combining P3P and CC/PP 
Platform for Privacy Preferences (P3P): 

request P3P policy reference files Web Server 


send P3P policy reference files 
r equest P3P policy 

request web page 




User agent has to: Indication to P3P policy reference file 

- request P3P policy reference file through: 

- request P3P policy - well-known location (/wc/p3p.xml) 

- match policy with user preferences - html link tag 

- accept/ reject/ inform/ warn - http header 
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CC/PP-WAP: 


WSP request with 
profile inform, or difference 




response in WSP with 
adapted content 


request in HTTP with 
profile information 



response in HTTP with 
adapted content 
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Combining CC/PP and P3P: 

-Initial request with minimal profile information (screen seize, voice, capabilities, 
graphic capabilities) 

-Users should be able to define P3P preferences for whole CPI or for CPI 
components or attributes 

- P3P categories for CPI: computer, preferences, location 


Simone Fbcher-Hotoier Privacy Enhancement in the Mobile Internet 
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P3P Enhancements: 

P3P privacy problems: 

Are users forced/pushed to give-up privacy ? 

P3P alone does not fulfil the following EU-Directive requirements: 

• Legitimacy (Art. 6b) 

• Adequacy (Art. 6c) 

• Right of Access (Art. 1 2) 

• Adequate level of protection for transborder data flow 

Protection of P3P data at the Server site: 

Formal Task-based Privacy Model + Third Party Assurance 


Simone Fischer-HCbner Privacy Enhancement in the Mobile Internet 
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A Formal Task-based Privacy Model: 

V S ; Subjects, O : Personal Data Objects : 
Task-Authorisation: 

current-task (S) e authorised-tasks (S) 
TP-A uthorisation: 

Current-TP (S) e authorised-TP (current-task (S)) 

Necessity of data processing: 
If S has x-access to O => 

(current-task (S), class (O), current-TP (S), x) e necessary-accesses 

Purpose binding: 
tf S has x-access to O ^> 

purpose ( current-task (S)) e purposes ( class (O)) v 
(purpose (current-task (S)), O ) e consent 

Simone Fischer-HOhner Privacy Enhancement in the Mobile Internet 

CS Department ^ 9 _ 

Karlstad University 
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Protection at the WAP Gateway Site 


Anonymizing Proxies or Mix net concepts 
for protecting User Identities ? 


WAP Device 



Origin Server 
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TJTLE OF THE INVENTION K O P | /\ 

Minimal Profile Conveyance - enhanced P3P for Mobile Internet. 

Hdcna Iindstog, Mficael Nilsson and Sirnone Fischer-Hubner. 
TECHNICAL FTfi^p 
Privacy in Mobile hrtemet. 
STATE OF THE ARJ 

In a very short time, the mobile Internet has grown into immense proportions. Its 
mechanisms allow users bath 10 access the Internet services and other server-based 
applications from mobile devices, and make new services possible, such as Iocarion- 
based and ccnrosxi-awaro applications. Today, "WAP (Wireless Application Protocol) 
and iMade arc the most frequently used technologies besides standard HTML over 
modified TCP/IP used in most Personal Digital Assistants (PDA). While mobile web 
services can be of great use, the privacy risks have tq be considered, and appropriate 
data protection and privacy safeguards most be ensured. It u necessary to prevent 
mobile Internet users to be under permanent surveillance and thai the only possibility 
far them to protect their privacy is act to use the mobile services at all. 

PROBLEM 

The W3C P3P candidate recomniendation specifies a protocol that provides an 
automated way for users to gain mote control over the use of persona] data on web 
sites they visit P3P enables Web sites to express their privacy practices io a machine- 
readable XML format that can be retrieved automatically, interpreted easily and 
compared with me user's privacy preferences by user agents. Using this irrformarion, 
the user can make informed decisions on whether or not to submit 3 certain piece of ' 
personal information to the Web site. 

m order to protect the nser's right for nrfomatfonal serMrterrmnatian, users should 
have control over the CPI of their devices, and d^teammethemsehfesliwfarandto 
what extern they want to communicate profile mfbrmanon to other sites. 

ThfiCDPP wifcmg group has expressed the design goal that the Platform for Privacy 
Preferences (P3P) is to be used as a management mechanism fcr the privacy of 
profiles. P3P can enhance the user's privacy by traramitring CPI (and possibly other 
personal charaeieriMics, such as location data - unless already included as an CPI 
attribute) only if there is an informed consent by the user about the origin server's site 
data coOccbou and use practices (how and for what purpose CPI will be used, with 
whom data will be snared, how long the data will be retained). 


However, with the CC/PP exchange protocol, a user uses a modified WSP or HTTP 
GET request which already carries the profile information or profile difference, 
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whereas according to the P3P sondard, it is first checked whether there is a sufficient 
maxch between a user's privacy preferences and the remote server's privacy policy 
before any personal data is transmitted. 


Thus, in order to use CC/FP wththe P3P standard, it is first required that the user 
defines a minimal profile with only mnrnnal CPI. This minimal profile should include 
only such CPI (such as for instance screen size, voice or graphic capabilities) thai the 
user is ready to reveal even to sites with whom the user has not come to a P3P 
agreement so fer. In the extreme case m which the user does not wart to provide any 
information to possibjy non-trustworthy sites, the user could define that the minimal 
profile be e mp ty. 

Thus, the minimal profile can be used 

> for communication in the "safe-zone* 1 before a P3P agreement; 

> &r accessing non-P3P enabled web sites or web sites that do not meet the user's 
P3P privacy preferences; 

> and optionally for serving third party requests to the WAP Gateway for cached 
profiles (for instance, to generate content that will subsequently be pushed to the 
client device) 

The following use case describes the steps of communication for the case where the 
user has defined a minimal profile and the P3P protocol is used to agree about the data 
collection and use of further CPI: 

1. Upon opening a WSP session, the client conveys its minimal profile information 
^ingProfilc and Pxofik>Di£f headers within the WSP Connect request The WAP 
Gateway caches the minimal profile for the lifetime of the session. 

2. If the user wants to request content from a P3P enabled site, she first requests the 
she's P3P policy reference file by issuing a standard WSP request to the WAP 
Gateway. The WAP Gateway forwards the request via HTTP including the user's 
minimal CPI associated with the session. After having received the policy reference 
file, the user requests the privacy poScy jn the same manner. Thus, for the com- 
nranication m the safe zone, only the minimal profile is forwarded by ihe WAP 
Gateway to the origin server. 

3 . The user agent compares the site's privacy policy with the user's preferences to 
determine whether farther CPI should b e transmitted. Users should have the 
possibility to choose the level of protection by defining privacy preferences for the 
whole CPI, or diOuiaii preferences for CPI components and/or attributes. 

4. If the user or her agent accepts the origin server site's privacy policy, there are 
diflferem options of how forther CPI can be transmitted to the origin server: 


6 


SOLUTION 
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5. To augment the ttnnirnal profile the client includes profile and/or profile-diff 
headers with each subsequent WSP request in that session as depicted m Figure I. 
The WAP Gateway then overr ides ih e cached minimal profile with the provided 
headers, wheo h generates an HTTP request. 

6. The user fiends a WSP session Resume message to the WAP Gateway containing 
profile and/or profile-diff headers with the new CPI and the WAP Gateway will 
update the cached CPI for thai session, as shown in Figure 2. 

Also, if the user agrees that certain CPI attributes (c.g r , the laser location) might be 
augmented by the WAP Gateway, the WSP requests or resume message should have a 
fiagtetobute set ih at authorizes the WAP Gateway to add that tafonnation to the CPI, 


WAP Qarauoy 


r 


3ar*2cno 


2. Utter aQtnl 
poflcy Mlft UAar 


1 WSPCkatnadwAb irfntar»l 
prete trfomafen 

WW wfiimcy isctwa 

2.1 0*1 policy reference flj* 

mlnknttl profile) 

> 

12 Gel pal cy roTimriM ff* wife 

2.4 Psfeyrvffiencanta 

2.3 Pate* nftarvnefl flto 

2.5 Gel pilwcy psfcy 

«rteey polfcy wttb rrinknal 


praflfc Infer mtbn 



2-J PrtrQcy policy 

2.7 PfNvcy policy 


pmflte hfermajfoft 

4fl Get AiqunM wHh aomplMe 
pnrflte mfannalton 



RBtpOftteirth adapted Ewilanl 

adapted wnlont 





Figure 1: T1. B complete CPI b cowyed with every WSP report iirocd after the P3p agreement 
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Fienre 2; Hie complete CPI is sent with the WSP Rnrnnc altar the P3P agreement 
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Sending the complete profile infbnnation with each subsequent request has the 
advantage thai the canxpleto CPI profile of user device wU not be cached in the WAP 
Gateway. However, in contrast to option 4.b, also CPI, and thus more data, has to be 
transferred with each request. Option 4.b can only be used if one privacy policy is 
valid for an entire Web site. 


S. FOR ERICSSON 


The need far a privacy proxy and a corresponding terminal solution is urgent People 
might refuse louse the xnbbile Imenjfit if privacy is neglected. Pairing to provide such 
an implementation might cause reduced sales of mobile terminals. We will also have a 
chance to develop and sell serverside solutions, 

DEVELOPMENT rR&Jgfil 

These ideas were developed within a research project, consisting of both Ericsson and 
university personel. 
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